#6504: Messages viewable to any logged out visitor
-----------------------------------+--------------------
Reporter: CodeMonkeyBanana | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.3.2
Component: Component - Messaging | Version:
Severity: blocker | Resolution:
Keywords: has-patch |
-----------------------------------+--------------------
Comment (by boonebgorges):
Replying to [comment:12 sbrajesh]:
> There is a simple solution to the user id spoofing.
> Unless we add roles/caps in future who can see other's message, w can
simply reset user_id in bp_has_message_threads after the parsing of the
arguments. Except if super admin, It should always reset to
get_current_user_id() for now.
>
> That will avoid any future leak there.
Yes, this is probably the most secure thing to do, though I'm not a big
fan of doing these kinds of blocks at the level of the template function.
I'm going to ping you on Slack to chat more about it :)
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6504#comment:13>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac